Bug 162899 - (CVE-2002-1903) CVE-2002-1903 pine username disclosure issue
CVE-2002-1903 pine username disclosure issue
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: pine (Show other bugs)
All Linux
medium Severity low
: ---
: ---
Assigned To: X/OpenGL Maintenance List
Ben Levenson
: Security
Depends On:
  Show dependency treegraph
Reported: 2005-07-11 11:19 EDT by Josh Bressers
Modified: 2012-08-19 03:47 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-03-09 03:58:46 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2005-07-11 11:19:41 EDT
This text is taken from here:
From: Roger Marquis

    The Pine email client allows users to define the "From:"
    address independent of their Unix username. This is an
    indispensable feature for help desks and other role accounts.

    Unfortunately, user names and/or ids can still be leaked due to
    Pine's insertion of "Sender:" and/or "X-Sender:" headers. Pine
    versions earlier than 4.44 may also insert the Unix username
    into other envelope and header fields. 

That message also contains a patch for this issue.
Comment 2 Mark J. Cox (Product Security) 2007-07-20 08:02:53 EDT
This is a debatable security issue, it's the way many mailers worked, it was
documented behaviour, and is of minimal security consequence.  It's not worth
issuing a security update for RHEL2.1 to correct this issue.  wontfix.

Note You need to log in before you can comment on or make changes to this bug.